SMS spoofing is a common cyberattack. Fraudsters use specialized software to manipulate the SMS sender ID, making it as though the message is coming from a legitimate source, such as the bank. In this way, they can steal sensitive information or download malware onto the recipients’ phones.
Types of SMS spoofing
It can be challenging to distinguish between legitimate and spoofed messages. To protect yourself, it's crucial to remain vigilant and cautious when responding to unsolicited SMS. Here are some common examples of SMS spoofing:
- Fake sender ID
The most common type of spoofing is replacing the sender ID with a reputable business’’ number or name. For example, scammers would impersonate Binance or TrustWallet to send phishing SMS. These SMS would be grouped under the same thread as the official messages, like 2FA codes. This is because the hackers used SMS spoofing to manipulate the sender ID and disguise the actual source of the message.
- Fake money transfer
Scammers would claim that the recipient has won a prize. They would then ask for the recipient’s bank details so they can deposit the winnings or visit a link to claim the prize.
This involves sending threatening or inappropriate messages to intimidate their victims, hoping to extort money from them. For example, threatening to ban the user’s account. Hackers often take advantage of your fear of losing assets. In this situation, you should remain calm and verify the message before acting.
How to avoid SMS spoofing?
- Verify incoming messages: Always double-check the source of an incoming message before responding. Be cautious of any unsolicited messages or those that seem suspicious. When in doubt, you can contact Binance Customer Service to verify the sender’s identity.
- Enable two-factor authentication (2FA): 2FA adds an extra layer of security to your accounts, making it more difficult for hackers to gain access through SMS spoofing.
- Do not share personal information: Never share sensitive information (e.g., passwords, credit card numbers, and social security numbers) through text messages, especially with unverified contacts.
- Do not click on suspicious links: Don't click any links sent to you via text message without verifying their legitimacy. Links could lead to phishing websites that attempt to steal your login credentials or install malware on your device. Make sure you use the business’ official website. For example, if you’re unsure whether the link, email, phone number, WeChat ID, Twitter account, or Telegram ID is official, you can verify it on Binance Verify.
For example, here’s a list of suspicious phishing websites impersonating Binance.
Examples of SMS spoofing
1. Fake account upgrade notification
A Binance user received an SMS with the sender name “Binance”, asking them to upgrade their account to continue using Binance service.
Hackers used specialized software to manipulate the SMS sender ID, making the fake SMS appear as though it was legitimately coming from Binance. As the fake SMS was under the same thread as the official 2FA code messages, the user assumed that the message was legitimate. After they logged in to the phishing website, their account credentials were stolen by hackers.
2. Fake withdrawal cancellation request
Another Binance user received a fake SMS to confirm a withdrawal. The user thought the message was legitimate and logged in to their account on the phishing website to “cancel the withdrawal request”.
After obtaining the user’s credentials, the hacker initiated a withdrawal request from their account and guided them to enter the 2FA code on the phishing website. After the user entered the code, the hacker withdrew their assets successfully.
Some learning from this example:
- The user didn’t verify the website URL. You should always verify the link received on Binance Verify before visiting.
- The user thought that the 2FA code was used to cancel withdrawal requests. However, if they had checked the message carefully, they would have noticed that the 2FA code was intended to confirm a withdrawal request. Therefore, check carefully when you receive a 2FA code message. Always confirm the use of the 2FA code before entering it.
3. Fake account verification
Several Binance users received an SMS with a link to verify or upgrade their accounts, which was a phishing attempt to steal their account credentials.